Tedd, I really like your solution. The idea of storing the expiration in the SESSION makes it easier for me and makes it more flexible. Someone else had provided a solution that would actually allow me to take it down to a user level if I needed to. I loved the idea for flexibility but would have required a major rewrite. Your idea gives me the flexibility and doesn't require any major rewriting - just a little tweaking. Thanks! Floyd On Sep 14, 2010, at 12:58 PM, tedd wrote: > At 10:26 AM -0400 9/14/10, Floyd Resler wrote: >> We just got a client whose requirement is that user sessions expire after 30 minutes of inactivity. Our other clients are happy with not having their sessions expire during the work day (i.e. life is 8 hours). I am using a MySQL database to store the session data. My thought is to adjust the session expiration in the table based on the client currently logged in. Is this a good approach or would there be better ways to do it? And just to clarify: all clients use the same Web site. >> >> Thanks! >> Floyd > > Floyd: > > I don't know how others solve this, but my solution is pretty straightforward (see code below). > > I require this code for every script that is in the secured area. Simply put, if the user runs a script, then this script is also run. > > As a result, if the user is not logged in they are directed to the login script. If the user is logged in, but has exceeded the expiration time due to inactivity, then the user is redirected to the same login script with a GET value to trigger the login script to report that they timed out due to inactivity. > > I find it bad practice to tell a user that they are not logged in when they did log in. It's better to explain why they have to log on again. > > Now, with respect to your storing the expiration time in the database, that could be done easily enough by this script accessing the database, getting, and setting the time-limit -- OR -- at the start of any logon have the script pull the time-limit from the database and store that value in a SESSION. Either way would work. > > In any event, this is what I do. > > Cheers, > > tedd > > ========== code > > <?php > > $redirect = 'http://yourdomain.com/admin/logon.php'; > > // standard security > > $secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0; > > if ($secure == 0) // if admin is not logged in -- then redirect to the admin logon > { > header("location:$redirect"); > exit(); > } > > // timed security > > $_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0; > > $timelimit = 15 * 60; // 15 minutes > $now = time(); > > if($now > $_SESSION['start'] + $timelimit) > { > logOff(); > $t = '?t=1'; > header("location:$redirect$t"); > exit(); > } > > $_SESSION['start'] = time(); > > // properly logged on pass here > > ?> > > > <?php //============ log off function ============= > // to destroy the current session > > function logOff() > { > $_SESSION = array(); > > if(isset($_COOKIE[session_name()])) > { > setcookie(session_name(), '', time()-86400, '/'); > } > session_destroy(); > } > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
